Hacker News new | past | comments | ask | show | jobs | submit login
Most common PIN codes (2012) (datagenetics.com)
127 points by dhotson 4 days ago | hide | past | favorite | 88 comments

Previous discussion:

Most to least common 4-digit PIN numbers from an analysis of 3.4M - https://news.ycombinator.com/item?id=40306374 - (56 points, 18 comments, 5 days ago)

Thanks! Macroexpanded:

Most to least common 4-digit PIN numbers from an analysis of 3.4M - https://news.ycombinator.com/item?id=40306374 - May 2024 (19 comments)

Statistical Analysis of PIN Numbers (2012) - https://news.ycombinator.com/item?id=11365962 - March 2016 (1 comment)

The 20 most common PIN numbers - https://news.ycombinator.com/item?id=11230045 - March 2016 (1 comment)

PIN analysis (2012) - https://news.ycombinator.com/item?id=11228319 - March 2016 (1 comment)

Analysis of bank PIN numbers - https://news.ycombinator.com/item?id=4535417 - Sept 2012 (111 comments)

(https://news.ycombinator.com/item?id=40306374 didn't get any frontpage time so we won't treat current post as a dupe)

Funny/stupid anecdote: a bunch of my kids' friends have the same phone unlock PIN as me because I set my son's new phone PIN the same as mine so he would also be able to unlock my phone if necessary.

When his friends started getting phones as well, they copied his. This has migrated through some of the friends' siblings as well.

One of my kids friends uses the same pin as I had when he was a kid. I would give him and my kid my debit card and they would go get pizza if they cleaned my office.

Quick, we should all use the least common pin numbers.

I switched my passwords to correct-horse-battery-staple and now I'm super secure.

I'm using correct-horce-battery-staple to fool those pesky kids with dictionaries.

l337 converter gives: c0rr3c7-h0r53-b4773ry-574pl3.

Veritasium says 37 is the most frequently-encountered number people pick between 1 and 100. I guess people subconsciously just want to be 1337.


most frequently-encountered RANDOM number people pick

I changed mine to Hunter2. LOL at least it HN strips out your password when you type it in a comment.

1234!? That's the stupidest combination I've ever heard in my life! That's the kind of thing an idiot would have on his luggage!

1-2-3-4, that's amazing, I have the same combination on my luggage!

(sigh) 1-2-3-4-5? That's the stupidest combination I've ever heard of in my life! That's the kinda thing an idiot would have on his luggage!

For serious though - one reason such utterly trivial codes are common are because the "lock" is just use as a fancy way of preventing the zipper from coming undone.

Likewise, on the internet, a lot of things prompt for passwords that really don't need them. People create throwaway accounts and use them as if they were temporary anonymous sessions.

Trust me, for the luggage this is a brilliant combination. Or something like 0000. Unless I work for a 3-letter institute, I leave all luggage to their default or the usual. If someone steals a luggage, that PIN is least of the problem but everyone else in the household will if you forgot your super-smart PIN.

Edit: The joke hit me a tad late. ;-)

I have a pin lock on a shared device, that friends use occassionally. Of the three friends I have given guest access to, all three asked for their pin to be 1234, to which I said no. One had the audacity to follow up with 123456

Thank you so much. This is the comment I was hoping for in this thread.

I moved to Switzerland, and, well, PIN codes for credit cards are 6 digits here by default.

And now I'm asking myself why noone else does this. I don't see hordes of Swiss people complaining about being unable to remember a 6-digit PIN at least.

One of my credit unions gives out (randomized) five digit pins (although they say if you use an atm that only accepts four digit pins, the first four is enough). My other credit union only does four digits.

I think remembering one 6-digit PIN would be fine, but in the US, it's common to have many banking relationships. If I needed a pin for every credit card, I'd have to write them on the cards or set them all the same.

Not sure how this is handled in Switzerland, and I don't have good data on this, but I'd say a lot of people in Europe have at least a debit and a credit card with a PIN each.

Also nothing says you can't use the same PIN for multiple cards; they're essentially the same security domain anyway ("a piece of plastic in your wallet") — most people don't have "more" and "less" trustworthy cards…

> Also nothing says you can't use the same PIN for multiple cards; they're essentially the same security domain anyway ("a piece of plastic in your wallet") — most people don't have "more" and "less" trustworthy cards…

Why not have the same password for all your banking accounts then? But everyone says not to reuse passwords.

If someone takes your wallet, it'd be nice if they don't drain all the accounts based on figuring out the pin of one card?

Because in most cases you already use your card interchangeably across a wide variety of (hopefully sealed and certified) terminal devices.

Meanwhile your password is very specific to one website, and never entering it elsewhere is key to phising prevention.

(my "security domain" comment was probably worded a bit poorly with the reference to your wallet, the relevant point is that most people consider card terminals interchangeable.)

>Also nothing says you can't use the same PIN for multiple cards

he said he can't choose his PIN:

>One of my credit unions gives out (randomized) five digit pins

All cards have randomized pins and can later be changed.

no, some cards you choose the PIN from the start and never get a randomized PIN

some banks some place in the world might make it a policy not to set PINs but to force random, you can't definitively say what you are saying, rather we can only go by what he said.

Nothing in this sentence

> One of my credit unions gives out (randomized) five digit pins (although they say if you use an atm that only accepts four digit pins, the first four is enough).

says that the PIN on that card can't be changed.

Is there any difference it materially changes security? Where would the extra two digits come into play?

Because (I imagine) you can't really brute force it. If you only have 3 or something tries, it doesn't really make that much of a difference.

And the person that stole your card would just try 123456 instead of 1234 etc and roughly would have a similar chance of success

Valid point.

That said, guessing the PIN isn't the only attack; longer PINs also means that you have to "spy" more digits, which can be significant if the "spying" method is not 100% reliable.

But yeah. I guess it doesn't matter as long as you have a lockout mechanism.

You’ll need to be sure that all the places your cards will go accept the 6 digit pin. Granted this was 20 years ago, but we were in Europe and couldn’t use my wife’s ATM card because she had a 6 digit PIN and all the ATMs were encountered only allowed 4 digits.

Sounds like it may be the reverse with Europe going the 6 digit route, but I think 4 digits is still pretty universal — I think most interfaces provide a enter key to terminate the PIN?

The very first ATM card I ever got, in the mid 80s in Texas, had a 6 digit PIN. When I got to choose it, it let me put 4 to 6 digits so I chose 6. A few years later they sent me my first debit card with a note that it had the same PIN. It did not. It had been truncated to 4 digits. Which made me unhappy because clearly it was sitting in plaintext in a database somewhere.

Even with a 6 digit pin why care it was stored? If someone has access to the bank's infrastructure and the pins aren't there they might as well be even with computers from the 80s.

With how small the space of PINs are, is there any point in hashing? To make brute-forcing every PIN infeasible you'd have to make the hash difficulty time intolerably long.

Majority don’t use PIN anymore - just tap card/phone.

Just needs an 'enter your PIN code to see how common it is!'.

I love DataGenetics, lots of interesting puzzles like that on there. There's a very unique style to all the visualizations and the solutions/analyses are always clear.

Sadly, there was a post by the author in June 2019 about being diagnosed with Stage IV cancer [0]. There have been no posts since July 2022. I sincerely hope that's just because Nick doesn't have the time to blog anymore.

[0] https://datagenetics.com/blog/june12019/index.html

Sadly no more blog posts from him in this universe:


61 pins are used by 1/3rd of all people. So statistically, if I steal 61 debit cards, assuming I have 3 tries, and assuming people choose their own pin, I should be able to get cash off one in expectation.

18% of people use the top 3 pins, so you would need 6 cards to expect to get 1. 56 cards would give you an expectation of 10.

Try this and report back!

Honestly that sounds sufficiently secure for what it is.

I used be lead dev for a big streaming site with >2m users and, well, no judgment here please, but the passwords were plaintext in the database.

So me and another dev ran a SQL script to see what the most common were.

  #1 was trustno1
  #2 was password
  #3 was 1234
We had no password rules either, so IIRC you could have a 1-char password.

I always like Brian Kernighan's password "/.,/.," [1]. If you're going for a stupid password anyway might as well make is easy to type. "password" is not particularly nice to type; I wonder why "asdf" is not generally more popular.

[1] https://arstechnica.com/information-technology/2019/10/forum...

asdf and qwerty were up there in the top 10 I think. This was just prior to the days of SQL injection and I'm 100% sure you could have erased our entire production DB with a really "strong" password.

I think the situation for actual PIN codes may be slightly better than suggested; sometimes (in the UK at least) your bank will assign you an initial PIN and I expect many people won’t change it, and by using a dump of passwords, you’ve probably captured some people who have created throwaway accounts and chosen the easiest possible password.

Before reaching the bottom of the article, I was wondering about 19xx codes, given that I've heard many people using years, or month/day pairings for garage door codes and such.

I was glad to see those plotted out. I was also initially surprised that not a single 19xx pin made the top 20, but I suppose it makes sense considering that there are 100 different combinations of this code.

I think most people who think of using a date would use MMDDYY or some equivalent format they're used to.

2000 is #7, 2001 is #19. Guess what they mean. Oh wait, it was in 2012.

Probably their child's birth year

If this site did have a field where you could enter a pin to see how common it was, you could make a really targeted phishing attack by sending the link to someone whose pin you want to know, then looking at what they click on or enter ("I'll just see how good my pin is...")

This piece reminds me of the four-digit lockbox that holds the key to get out onto our roof. Great views up there.

I knew that mathematically it would be pretty easy to brute force, and figured I could belt out a thousand combos per day and probably get it done within the week or so. "Well, no time like the present," I thought, "...better get crackin'." ((of knuckles))

Changed the combo to 0000, pulled the handle, and... click! Opened on the first try. :-D

TIL brute-forcing from 0000 to 9999 is a decent strategy.

In (game) Rust, the players can use 4 digit keylocks to secure their bases and brute forcing is indeed a strategy. The lock zaps and eventually kills you but even with that, a determined player can eventually get in.

Not that many futurama fans in those data breaches ...


> Anderson: "So. What do I owe you?"

> Fry: "10.77. Same as my PIN number."

So many silly scenes like this. I want to re-watch Futurama because last time I watched it was as a teenager, so I'm sure I missed many of subtle jokes.

Seeing my pin as one of the least common ... guess I need to change my pin because they're about to be some of the most common...

Repeats, sequences, dates, and those ending in 7.

Use a CSTRNG and as long of a PIN as possible to prevent rampant spending. ;@)

If this analysis is from 2012, I wonder if the results would look much different using data since then? Would any patterns have changed that much? Other than more birth years in 20--, my initial guess would be no.

Side note: DataGenetics has been my favorite blog in mid-2010s. Lots of great posts:


Whenever I'm asked for a 4 digit PIN: `echo $[RANDOM%10000]`

You should probably use SRANDOM; less bias from the modulo (32 bits instead of 15) and uses arc4random or /dev/urandom if available.

TIL, thanks!

I'll remember to prioritise 0000 to 2767 for your PINs, then.

Just so you can see the bias to early numbers in the distribution:

    for i in $(seq 1000000); do
        echo $[RANDOM%10000]; 
    done | sort -n | uniq -c | sort -rn | gnuplot -e "set terminal dumb; set xtics 1000; plot '< cat' using 0:1 with boxes"

I think this gnuplot command makes the bias much more obvious (and even better with -persist and "set terminal x11"): gnuplot -e "set terminal dumb; set xtics 100; plot '<cat'"

Compare to the version that discards values over 3e4:

  for i in $(seq 1000000); do x=$((RANDOM)); while test $x -gt 30000;do x=$((RANDOM)); done; echo $((x%10000));      done |sort|uniq -c |sort -rn |gnuplot -e "set terminal dumb; set xtics 100; plot '<cat'"
Or the version that uses the 32-bit SRANDOM, which reduces the bias by a factor of 2**17:

  for i in $(seq 1000000); do         echo $((SRANDOM%10000));      done | sort -n | uniq -c | sort -rn |gnuplot -e "set terminal dumb; set xtics 100; plot '<cat'"

My sister had a key lock box at home that she didn't know the code for.

I had a look on YouTube and sure enough there was an easy way to pick the lock.

The resulting code - 01234

I like that '1701' is lite up brightly in there... Please excuse me while I go and change my PIN.

I was disappointed that my typical PIN for low security things like the snack storage closet at work, 2112, isn't there. I figured there would be more Rush fans than there are I guess.

If we start picking the least popular pin codes they'll stop being the least popular. What a tragedy

I've change my PIN codes to use the least used ones now. Nobody can guess them so I am very secure.

Glad to know my choice of code is relatively unused I guess

not a single least common pin contains all prime number which is interesting

I think the venn diagram of “people who find primes interesting” and “people who understand password security” is pretty close to a circle.

3,5,7 line up on the diagonal, leaving 2 as the only other prime. So people using physical patters are likely to choose them. Not to mention any mathematically inclined person may also choose all primes.

that’s amazing! I’ve got the same combination on my luggage!

And change the combination on my luggage!

Actual article: http://www.datagenetics.com/blog/september32012/index.html

Should be changed to this, rather than screenshot + link blogspam.

Ok, we've changed the url from https://informationisbeautiful.net/visualizations/most-commo... to that. Thanks!

Looks like my PIN code, 4968, is pretty secure. I recommend using that one if you aren't already.

What is your pin code? All I see is ****.


I think the least common PIN codes are fascinating. I'm surprised by the number of 7s in these. They looks like numbers you would end up with if you asked someone to think of a random 4 digit number.

List transcribed by ChatGPT: 8557, 8438, 9539, 7063, 6827, 0859, 6793, 0738, 6835, 8093, 9047, 0439, 8196, 6693, 7394, 9480, 8398, 7637, 9629, 8068.

During tax season (in US), for security, you may optionally create a 5 digit pin. I wanted mine to be unaffiliated with any existing pin I have, and chose a 'random' number and wrote it down. A year later I repeated this (and had long since forgotten the previous pin), went to go write it in the same place, and saw that both 'random' numbers had the same first four digits. I now use a computer to choose random numbers because I no longer trust myself to be random.

I thought the self selected PIN for filing a return was required for online filing, and that it was just an indicator of intent, like a signature.

Does it serve a security function? Am I supposed to remember what it is?

I know the IRS does have an identity protection PIN process, but that's separate.

I know about the identity protection PIN, so I've been assuming this whole time that's what I was choosing a number for. It is possible I was just doing the self selected PIN and wasn't aware that I should be doing something additional for other one. FWIW I haven't needed the PIN later but saved them in case I did.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact